CVE-2019-13235

Vulnerability

Overview The Alkacon OpenCms Apollo Template versions 10.5.4 and 10.5.5 contain a stored or reflected cross-site scripting (XSS) vulnerability in the login form. The official description confirms that improper handling of user input within the login form enables script injection [1][2]. This type of flaw occurs when the application fails to sanitize or encode input before embedding it in the page response, allowing an attacker to break out of the HTML context and execute arbitrary JavaScript in the victim's browser.

Attack

Vector and Prerequisites The vulnerability is present in the login form, which is typically accessible without authentication. An attacker can craft a malicious link or input that, when processed by the vulnerable form, injects a script payload. No authentication is required to reach the login page, and the attack does not require a privileged network position if the target system is exposed to the internet. The exploit can be delivered via a link or by directly submitting crafted data to the login endpoint [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session on the affected OpenCms instance. This can lead to session hijacking, defacement, credential theft, or redirection to malicious sites. Since the vulnerability exists in a public-facing component, the risk to confidentiality, integrity, and availability is elevated.

Remediation

Status The vulnerability has been addressed in subsequent commits to the Apollo Template repository on the branch_10_5_x branch [3]. Users should update to a patched version of the Apollo Template. According to the advisory on Packet Storm, the vendor was notified and a fix was prepared [1]. Organizations using the affected versions should apply the update as soon as possible to mitigate the risk.